Avoid setting up DHCP firewall rules with FlatManager

Fixes bug #704737 With FlatManager, ensure that the network info's dhcp_server value is not set and use that key to decide in the compute service whether DHCP firewall rules should be added. Change-Id: I8183a6fa3881adea1a09f3f1a29442e6b7a919ce
author: hua zhang <zhhuabj@cn.ibm.com> 2012-05-09 14:11:00 +0800
committer: hua zhang <zhhuabj@cn.ibm.com> 2012-05-14 17:12:29 +0800
commit: 763a3678407b244b680fd0bf2c6bcee60e8352c2 (patch)
tree: 09975f4e0cad91c5b27acf601c1fd370304fc083 /nova/virt
parent: 2c7e0d1e63cae7aaa38095439843c9a2abb0382b (diff)
2 files changed, 14 insertions, 2 deletions
diff --git a/nova/virt/libvirt/firewall.py b/nova/virt/libvirt/firewall.py
index a0644cafc..9cc801cc8 100644
--- a/nova/virt/libvirt/firewall.py
+++ b/nova/virt/libvirt/firewall.py
@@ -101,10 +101,17 @@ class NWFilterFirewall(base_firewall.FirewallDriver):
         LOG.info(_('Ensuring static filters'), instance=instance)
         self._ensure_static_filters()
 
+        allow_dhcp = False
+        for (network, mapping) in network_info:
+            if mapping['dhcp_server']:
+                allow_dhcp = True
+                break
         if instance['image_ref'] == str(FLAGS.vpn_image_id):
             base_filter = 'nova-vpn'
-        else:
+        elif allow_dhcp:
             base_filter = 'nova-base'
+        else:
+            base_filter = 'nova-nodhcp'
 
         for (network, mapping) in network_info:
             nic_id = mapping['mac'].replace(':', '')
@@ -128,6 +135,10 @@ class NWFilterFirewall(base_firewall.FirewallDriver):
                                                     'no-ip-spoofing',
                                                     'no-arp-spoofing',
                                                     'allow-dhcp-server']))
+        self._define_filter(self._filter_container('nova-nodhcp',
+                                                   ['no-mac-spoofing',
+                                                    'no-ip-spoofing',
+                                                    'no-arp-spoofing']))
         self._define_filter(self._filter_container('nova-vpn',
                                                    ['allow-dhcp-server']))
         self._define_filter(self.nova_dhcp_filter)
diff --git a/nova/virt/libvirt/vif.py b/nova/virt/libvirt/vif.py
index 80b34220d..07ac50520 100644
--- a/nova/virt/libvirt/vif.py
+++ b/nova/virt/libvirt/vif.py
@@ -64,7 +64,8 @@ class LibvirtBridgeDriver(vif.VIFDriver):
 
         conf.filtername = "nova-instance-" + instance['name'] + "-" + mac_id
         conf.add_filter_param("IP", mapping['ips'][0]['ip'])
-        conf.add_filter_param("DHCPSERVER", mapping['dhcp_server'])
+        if mapping['dhcp_server']:
+            conf.add_filter_param("DHCPSERVER", mapping['dhcp_server'])
 
         if FLAGS.use_ipv6:
             conf.add_filter_param("RASERVER",
author	hua zhang <zhhuabj@cn.ibm.com>	2012-05-09 14:11:00 +0800
committer	hua zhang <zhhuabj@cn.ibm.com>	2012-05-14 17:12:29 +0800
commit	763a3678407b244b680fd0bf2c6bcee60e8352c2 (patch)
tree	09975f4e0cad91c5b27acf601c1fd370304fc083 /nova/virt
parent	2c7e0d1e63cae7aaa38095439843c9a2abb0382b (diff)